Large data breaches have become increasingly common: Just in 2016 we have found out about Yahoo’s breach as well as the LinkedIn hack (compromising 167 million accounts) and the MySpace breach (360 million accounts).

When personal information is stolen, rapid response is important. Customers need to change their passwords, and take other steps to protect their identity, including securing bank accounts and credit records. If people don’t know a breach has occurred and that they need to take these protective steps, they remain vulnerable.

So why does it take such a long time for companies to disclose that they have been hacked? It’s not as simple as you might think – or hope.

But more than a month later, the company filed a document with U.S. financial regulators saying it didn’t know of any claims of “unauthorized access” that might have an effect on its pending sale to Verizon. And Verizon said publicly that it had heard about the breach only two days before Yahoo announced it to the world.

That includes all sizes of companies in all types of business. As a major internet company with an extremely large user base, it’s reasonable to expect Yahoo might detect – and disclose – breaches much sooner than other firms.

Detecting, and confirming, the hack

The company has said it believes the attack was conducted by a national government, though it hasn’t said from what country. That may suggest the attack was more sophisticated, and therefore harder to detect – but it’s impossible to know if that’s true, because the company has declined to offer details of how the breach was achieved.

In addition, anyone on the internet can claim anything they want – companies have to investigate their systems to find out whether someone who is advertising they have login information for sale actually took anything, or is just making it up to cause trouble.

Nontechnical reasons that Yahoo took so long to discover the hack could include frequent changes in leadership of its security team and the companywide stress of finding a buyer.

Notifying the public

Once a company has learned it has been hacked, it’s important to tell customers – and the public – so that people can take proper measures to protect their information, privacy and identities.

At present there is no federal law regarding when companies must tell the public about information security breaches. In 2015, Democrats proposed giving firms 30 days from discovering a hack to announcing it had happened. That effort failed because many states, which have varying requirements, have stricter standards that the federal law would have overruled.

Recovering a corporate reputation

Tech companies can typically recover quickly from data breaches – if they respond fast and take the necessary steps to notify their users. That’s true even for corporations whose data breaches resulted in the compromise of customers’ credit card information, such as Target in 2013 and Home Depot in 2014.

Lawsuits filed after the breaches have cost companies millions in settlement costs, not to mention legal fees and lost business. The lesson is clear: Early disclosure of a data breach is better. If Yahoo knew about its hack as early as August – or even years ago – and took this long to announce it to the public, the company has manifestly betrayed its users’ trust.

It can be extremely difficult for companies, even tech-focused ones like Yahoo, to protect themselves from skilled and determined hackers. But not reporting the attack as soon as it’s suspected can be almost as damaging as the hack itself.